The widespread transition of data from analog format to digital format has exacerbated problems relating to unauthorized copying and redistribution of protected content. Flawless copies of content can be readily produced and distributed via the Internet. This piracy is a major concern and expense for content providers.
Further, a new type of home consumer device for digital content management has been enabled by the advent of inexpensive, large-capacity hard disks. A movie rental box receives digital movies from some inexpensive source of data, usually a broadcast source (whether terrestrial or satellite-based). The movies do not have to be delivered in real time. Instead, they are stored on the hard disk, so that at any moment the hard disk contains, for example, the hundred hottest movies in the rental market. The consumer can simply select a particular movie and hit “play” to begin viewing a movie. The movie rental box periodically calls a clearing center and reports the content usage of the consumer for billing purposes; the box may also acquire new decryption keys during this call.
This approach to content distribution is a one-to-many type of distribution system such as, for example, distribution of pre-recorded or recordable media, a pay-per-view TV system, etc. The advantages the box provides to the consumer are obvious: he or she no longer has to go to the video rental store, and does not have to return a rental tape or DVD. The consumer value proposition of movie rental boxes is so compelling it is estimated that there will be 20 million such boxes in the United States within five years.
Content providers need to know what security problems are associated with these boxes, i.e. how can a user get a movie without paying for it? The simple attack of merely disconnecting the box so that it cannot call the clearing center can achieve only a short-lived advantage because the clearing center can simply refuse to provide new decryption keys to such a box. Likewise, the periodic “calling home” makes detection of clone boxes relatively easy.
A serious attack is likely to be the so-called “anonymous” attack, wherein a user or a group of users purchase rental movies from legitimate movie rental boxes that have been instrumented so that the protected content or the decryption keys can be captured and redistributed, often over the Internet. This “Napster-style” attack focused on movies instead of music is the most urgent concern of the movie studios that are investigating content protection technology.
One solution to the problem is to differently watermark and differently encrypt each movie for each authorized movie rental box, so that if a movie were pirated the watermarking and encryption information can uniquely identify the compromised box. However, this solution is not feasible because of the excessive computing effort and transmission bandwidth required to prepare and transmit individualized movies. The distribution system is economical only if the movies can be distributed over broadcast channels, i.e., every box gets substantially the same data at the same time.
To solve the broadcast problem, the approach known in the art as “traitor tracing” is used. In this conventional approach, an original version of each movie file is augmented before being broadcast. Specifically, the file that is actually broadcast has at least one critical file segment replaced by a set of segment variations. Each file segment variation is differently encrypted before encryption, or differently encrypted and watermarked before encryption. The entire file may also be watermarked. All the variations in one segment are identical for viewing purposes. A receiver is given the cryptographic key to decrypt only one of the variations in each segment. If the receiver is compromised and is used to illegally rebroadcast either the keys or the segments themselves, it is possible to deduce which receiver or receivers have been compromised. Although this technology has proven to be useful, it would be desirable to present additional improvements. The traitor-tracing approach has not been widely used in practice to date, because previously known methods required unreasonable amounts of bandwidth in the broadcast, due to the number of segments or variations required.
One conventional solution using a traitor-tracing approach equips authorized users with security devices that can decode content; unauthorized clients do not have decoding capabilities. A traitor detection system generates different decoding capabilities and creates a file that associates the decoding capabilities with specific authorized clients. In the event an authorized user illicitly transfers content to an illegitimate user, this conventional approach consults the association file to identify one or more of the authorized clients associated with the illicitly transferred decoding capabilities.
Although this technology has proven to be useful, it would be desirable to present additional improvements. This approach requires a broadcaster to dynamically change the segment variations assigned to the individual receivers “on the fly”, based on instantaneous feedback on the re-broadcasted data. This conventional approach is not useful for applications such as rental movie boxes, because the pirate has no urgent need to immediately rebroadcast the movies. For example, the pirate can wait for months without losing substantial revenue, if that helps the pirate defeat a traitor-tracing scheme.
Another conventional approach comprises a traitor-tracing scheme against re-digitization and anonymous attacks. This conventional approach assigns codes to variations of content; the assigned codes are similar to error-correcting codes. The content typically comprises 255 different movie sequences, each movie having 256 variations. After 255 movies, the assignment repeats.
By adding a level of indirection, each media player needs to store only 255 keys, corresponding to the 255 movies in the sequence; each of these 255 keys is referred to a “sequence key”. The assignment of these keys is based on the “outer code” of this conventional approach, corresponding to a sequence of 255 movies. Each sequence key in the sequence of 255 movies has 256 versions, corresponding to the 256 movie versions. Each media player has the 255 sequence keys, installed when the media player is manufactured.
It might be beneficial to consider the sequence keys as being organized in a matrix. In the example above, the matrix would have 255 columns, one for each movie in the sequence, and would have 256 rows, one for each movie version. A given media player would have exactly one sequence key in each column. Which row each key would have would be set by the outer code.
To continue with the example, when requested to play a movie, the media player determines which sequence number the movie is using, 0 to 255. The sequence number is stored on the movie disc. For an exemplary sequence number 44, the media player combines a sequence key #44 stored on the media player with cryptography values comprising a media key in use on the disc to calculate a movie unique key. The media player knows the version of the sequence key #44 stored on the media player. For exemplary purposes, a version #141 of sequence key #44 is stored on the media player. The media player then uses sequence key to decrypt version #141 of the movie.
Although this technology has proven to be useful, it would be desirable to present additional improvements. The traceability of this approach is partially dependent on the number of variations per segment. Larger numbers of variations per segment provide improved traceability. The selection of the number of variations per segment is affected by watermarking efficiency and the bandwidth allowed by the application scenario. For example, choosing 256 variations per movie where the segments where the variations exist comprise a 2 second scene requires about 5-10% extra bandwidth. The small number of variations chosen due to these restrictions partially adversely affects the traceability of the scheme.
In a re-digitization attack, attackers redistribute the decrypted clear content. However, in an anonymous key attack, attackers simply redistribute the decryption keys for the content. The key attack is considered the more likely attack against the encrypted content. When the attack is redistributing the decryption key, watermark robustness and extra bandwidth are irrelevant. For every recovered movie with q variations, a traitor trace can trace the attack to 1/q of the population, assuming a single user initiated the attack. Higher values of q provide improved traceability. However, higher values of q require additional storage and bandwidth. Thus, an improved traceability for detection of a source of a key attack is desirable that enables a larger number of effective movie variations.
Furthermore, a licensing agent may wish to determine the manufacturer or model of a media player rather than an individual media player. The licensing agent may wish to determine whether a particular model of a media player is faulty or whether a manufacturer is intentionally allowing leaks of decryption keys. If the media player is faulty, the manufacturer can issue, for example, software or firmware updates to owners of the media. Moreover, the licensing agent may limit a trace to manufacturers or models to protect privacy of individual content users. For example, a manufacturer may make an attack against a decryption key by distributing a decryption key or failing to adequately protect a decryption key. In this case, the licensing agent wishes to trace the source of the attack without maligning or harming individual users. It is therefore desirable to have a hybrid approach to traitor tracing that allows detection of any combination of the manufacturer, model, or the individual media player from which a decryption key or content was pirated.
When tracking only to a manufacturer or model, for any file, the individual media players within the same manufacturer or model receive the same file version assignment. However, the individual media players are assigned the sequence keys based on tracing to individual media players rather than manufacturers or models. To extend the capability to manufacturers or models, each table is duplicated 256 times. Each of these 256 tables is then encrypted 256 times, for each of the sequence key versions, resulting in 256*256 tables per file. However, this approach requires a substantial amount of storage on the disk and a substantial amount of bandwidth for transmitting these encrypted tables.
What is therefore needed is a system, a computer program product, and an associated method for assigning sequence keys to a media player to efficiently enable hybrid traitor tracing. The need for such a solution has heretofore remained unsatisfied.